Slide 1

Microsoft Security & Patch Management Solutions And Strategy Microsoft Corporation Slide 2 Most attacks occur here Situation Process, Guidance, Tools Critical Product ship VulnerabilitydiscoveredComponentmodified Patch released Patch deployed at customer site Why does this gap exist? Slide 3 Exploit Timeline Days From Patch to Exploit The average is now days for a patch to be reverse-engineered As this cycle keeps getting shorter, patching is a less effective defense in large organizations, automation for testing and deployment needed Why does this gap exist? 151 180 331 Blaster Welchia/ Nachi Nimda 25 SQL Slammer exploit code patch Days between patch and exploit Slide 4 Microsoft Security Response Process Product Team Security Team Security Bulletin Security Bulletin Knowledge Base Article Knowledge Base Article Premier Customer Alert Premier Customer Alert Notification via: Notification via: www.microsoft.com/security www.microsoft.com/security Notification service Notification service Mailing lists Mailing lists Patches released* Patches released* Secure@microsoft.com Secure@microsoft.com Secure@microsoft.com Microsoft Technical Support Microsoft Technical Support Mailing lists (NTBugTraq, BugTraq, etc.) Mailing lists (NTBugTraq, BugTraq, etc.) Web form Web form Critical Critical Important Important Moderate Moderate Low Low None None Verify issue is fixed Verify issue is fixed Developer testing Developer testing Sustained engg. testing Sustained engg. testing Testing by customers Testing by customers Vulnerability Report Received Triaged for Criticality Issue Reproduced Patch Developed Patch Tested Documentation Developed Field Guidance Developed Patch Released & Notification Sent Development Practices Updated *On second Tuesday of each month Associated with patch release: Associated with patch release: Security bulletin Security bulletin Updated MSSecure.xml file for MBSA Updated MSSecure.xml file for MBSA Patch (including localized versions) on Windows Update and Download Center Patch (including localized versions) on Windows Update and Download Center Update catalog for SUS Update catalog for SUS Slide 5 Improved Patching Experience Microsoft Patch Policies Non-emergency security patches on a monthly release schedule, the second Tuesday of every month (if there are some to release, sometimes there are none, as was the case for March 2005) Security Notification Service sends an alert 3 business days ahead of time New alert mechanisms such as RSS Feed, IM, or MSRC Blog Security Bulletins now very comprehensive, detailed Language clear and concise Patches for emergency issues will still release immediately Slide 6 Enhancements to the Advanced Notification Program Program introduced in November 2004 to assist with preparation and resource planning Expanded to include the following information each month: Strains of malicious software that will be cleaned with the Malicious Software Removal tool Information about the detection tool applicable to the upcoming security updates Any non-security, high priority updates on Windows Update that will be released on the same day as security updates More information: www.microsoft.com/technet/security/bulletin/advance.mspx www.microsoft.com/technet/security/bulletin/advance.mspx Slide 7 New Resources This Month (April) MSN Security Alerts: A new security category added to the MSN Alerts Service: Security bulletin release notifications Security incident updates MSN Messenger user can receive a popup whenever new information is available For more information: www.microsoft.com/security/bulletins/alerts.mspx www.microsoft.com/security/bulletins/alerts.mspx RSS feed for consumer level security bulletins: By using an RSS reader, customers can now be proactively notified when new bulletins are available More information: www.microsoft.com/updates www.microsoft.com/updates MSRC Blog on TechNet: First introduced during the RSA Conference in February 2005 Received positive customer response Moved to a more permanent home on TechNet http://blogs.technet.com/msrc Slide 8 Register to review the April 19 session: www.microsoft.com/security360 www.microsoft.com/security360 Microsoft Security360 April 2005 Topic: E-mail Security, Its More Than Filtering E-Mail security is not just about preventing unsolicited messages; it is also about protecting the digital information assets you send through e-mail Discussion covering the whole spectrum of e-mail security, including filtering technologies, e-mail policies and enforcement, and partner solutions A checklist of recommendations and resources Slide 9 Resources Security Bulletins Summary www.microsoft.com/technet/security/bulletin/ms05-Apr.mspx www.microsoft.com/technet/security/bulletin/ms05-Apr.mspx Security Bulletins Search www.microsoft.com/technet/security/current.aspx www.microsoft.com/technet/security/current.aspx May Security Bulletins Webcast http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=10322734 03&Culture=en-US http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=10322734 03&Culture=en-US http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=10322734 03&Culture=en-US Windows XP Service Pack 2 www.microsoft.com/technet/winxpsp2 www.microsoft.com/technet/winxpsp2 Windows Server 2003 Service Pack 1 www.microsoft.com/windowsserver2003/default.mspx www.microsoft.com/windowsserver2003/default.mspx Security Newsletter www.microsoft.com/technet/security/secnews/default.mspx www.microsoft.com/technet/security/secnews/default.mspx On-demand Supplement Webcast on Detection & Deployment http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID= 1032268810&Culture=en-US http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID= 1032268810&Culture=en-US http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID= 1032268810&Culture=en-US Slide 10 Solutions for Management Patch Management Guidance Provides best practices guidance for patch management Scales from small organizations up to an enterprise organization People, Process & Tools Guidance consists of: End to End Process for Patching (built on MOF) Description of how the tools (SMS 2003 & SUS) automates the process Guidance on roles and responsibilities Built upon a Management Architecture The MSM offering may be downloaded from http://www.microsoft.com/technet/itsolutions/msm The Patch Management Guidance can be found at http://www.microsoft.com/technet/security/topics/patchmanagement.mspx http://www.microsoft.com/technet/security/topics/patchmanagement.mspx Slide 11 Patch Management Process 1. Assess Environment to be Patched Periodic Tasks A. Create/maintain baseline of systems B. Access patch management architecture (is it fit for purpose) C. Review Infrastructure/ configuration Ongoing Tasks A. Discover Assets B. Inventory Clients 1. Assess 2. Identify 4. Deploy 3. Evaluate & Plan 2. Identify New Patches Tasks A. Identify new patches B. Determine patch relevance (includes threat assessment) C. Verify patch authenticity & integrity (no virus: installs on isolated system) 3. Evaluate & Plan Patch Deployment Tasks A. Obtain approval to deploy patch B. Perform risk assessment C. Plan patch release process D. Complete patch acceptance testing 4. Deploy the Patch Tasks A. Distribute and install patch B. Report on progress C. Handle exceptions D. Review deployment Slide 12 Microsoft Severity Ratings RatingDefinition Critical Exploitation could allow the propagation of an Internet worm such as Code Red or Nimda without user action Important Exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or in the integrity or availability of processing resources Moderate Serious vulnerability, but exploitability mitigated to a significant degree by factors such as default configuration, auditing, need for user action, or difficulty of exploitation Low Exploitation is extremely difficult, or impact is minimal Slide 13 Patching Timeframes Severity RatingRecommended Patching Timeframe Critical Within 24 hours Important Within 1 month Moderate Depending on expected availability, wait for next service pack or patch rollup that includes the patch or deploy the patch within 4 months Low Depending on expected availability, wait for next service pack or patch rollup that includes the patch or deploy the patch within 1 year FactorPotential Impact High value or high exposure assets impactedDecrease timeframe Assets historically attacked are impactedDecrease timeframe Mitigating factors in place or will be quickly put in place Increase timeframe Low risk of exposure for impacted assetsIncrease timeframe Factors Impacting Release Timeframes Slide 14 Patch Management Process Step 1: Assess Are there any threats or vulnerabilities in the environment? Has anything changed in production? New operating systems and applications Changes to network or management infrastructure Accurate and up-to-date inventory information is essential to the process Is the management infrastructure able to support patch management Slide 15 Patch Management Process Step 2: Identify How can you be notified about new patches? Is the patch relevant to the organization? Which systems need to be patched? Do all systems need to be patched with the same level of priority? Which systems are most vulnerable? Has the patch been downloaded and checked to be virus free? Does the patch install successfully on a trial system? Has a change request (RFC) been submitted for this patch? Slide 16 Patch Management Process Step 3: Evaluate and Plan Need to test the patch before deployment Important to ensure that business critical functions still work Amount of testing will depend on risk Use change management process to ensure all parties agree with need to deploy If critical, use an expedited process! Slide 17 Patch Management Process Step 3: Evaluate and Plan (Cont.) Consider how & when to install the patch Installation process may differ for server and desktop devices Need to consider outage windows and business continuity Need to consider how to patch mobile clients and clients connection across slow or unreliable networks Can the patch be combined with other changes to minimize down time Slide 18 Patch Management Process Step 4: Deploy Production environment needs to be prepared for new patches Administrators/users will need to be informed of possible downtime Possible training to assist support desk Distribution points checked to confirm presence of patch and associated binaries Slide 19 Patch Management Process Step 4: Deploy (Cont.) Monitor patch distribution Check progress and deal with exceptions Releasing patches to mobile clients and slow connections Size of patch may be a significant issue Options include forcing mobile clients into the office or distributing across the network Slide 20 Patch Management Process Roles and Responsibilities People need to have defined roles and responsibilities Perform daily, weekly, monthly, and as-needed tasks Audit server production environment (daily) Check for new information sources (monthly) Review new patch notifications (as needed) Slide 21 Points about Patching For successful patch management in a distributed IT environment consider: How to stay aware of new patches and fixes. Whether it is necessary to apply a particular patch. The system-wide impact of installing a patch. What specifically a patch will change. If a patch can be removed, once installed. Dependencies between components in the production environment and the impact of applying a patch to one of those components. How to evaluate the success of a patch installation. The possible scenarios for restoring a patched environment. Slide 22 Solution Components Analysis Tools Microsoft Baseline Security Analyzer (MBSA) Office Inventory Tool Online Update Services Windows Update Office Update Content Repositories Windows Update Catalog Office Download Catalog Microsoft Download Center Management Tools Automatic Updates (AU) feature in Windows Software Update Services (SUS) Systems Management Server (SMS) Prescriptive Guidance Microsoft Guide to Security Patch Management Patch Management Using SUS Patch Management Using SMS Slide 23 Content Repository Comparison Windows Update*Office Update MS Download Center Supported Software Windows operating systems and its components only Microsoft Office and its components only All Microsoft products Supported Content Types Security patches, security rollups, critical updates, SPs and driver updates Security patches, critical updates, and SPs All types of content Scans for Updates Yes No Usage Options User initiated -- automatically detects, downloads, & installs updates via online service Automatic Updates initiated automatically detects & downloads updates Manual content search & download (from Windows Update Catalog) User initiated -- automatically detects, downloads, & installs updates via online service Manual content search & download (from Office Download Catalog) Manual content search & download only Slide 24 Capability Windows Update SUS 1.0SMS 2003 Supported Platforms for Content NT 4.0, Win2K, WS2003, WinXP, WinME, Win98 Win2K, WS2003, WinXP NT 4.0, Win2K, WS2003, WinXP, Win98 Supported Content Types All patches, updates (including drivers), & service packs (SPs) for the above Only security & security rollup patches, critical updates, & SPs for the above All patches, SPs & updates for the above; supports patch, update, & app installs for MS & other apps Granularity of Control Targeting Content to Systems No Yes Network Bandwidth Optimization No Yes (for patch deployment) Yes (for patch deployment & server sync) Patch Distribution ControlNoBasicAdvanced Patch Installation & Scheduling Flexibility Manual, end user controlled Admin (auto) or user (manual) controlled Administrator control with granular scheduling capabilities Patch Installation Status Reporting Assessing computer history only Limited (client install history & server based install logs) Comprehensive (install status, result, and compliance details) Additional Software Distribution Capabilities Deployment PlanningN/A Yes Inventory ManagementN/A Yes Compliance CheckingN/A Yes Core Patch Management Capabilities Choosing A Patch Management Solution Slide 25 MBSA Update Scanning Functionality Overall direction MBSA update scanning functionality integrated into Windows patch management functionality MBSA becomes Windows vulnerability assessment & mitigation engine Near- and Intermediate-term plans MBSA 1.2.1 (Q1 2004) Windows XP SP2 support Improves report consistency, product coverage, and locale support Integrates Office Update Inventory Tool MBSA 2.0 (Q2 2005) Update scanning functionality migrates to Microsoft Update Services /Microsoft Update MBSA leverages MSUS 2.0 for update scanning Beta program now open for participation Slide 26 Adopt a Patch Management Solution *Microsoft does not endorse or recommend a specific patch management product or company Note: Enterprise Systems Management products such as IBM Tivoli, CA Unicenter, BMC Patrol, and HP OpenView may also provide patch management functionality Note: Enterprise Systems Management products such as IBM Tivoli, CA Unicenter, BMC Patrol, and HP OpenView may also provide patch management functionality At Microsoft, our #1 concern is the security and availability of your IT environment If none of the Microsoft patch management solutions meet your needs consider implementing a solution from another vendor. Below is a partial list of available products: Company NameProduct NameCompany URL Altiris, Inc.Altiris Patch Managementhttp://www.altiris.com BigFix, Inc.BigFix Patch Managerhttp://www.bigfix.com Configuresoft, Inc.Security Update Managerhttp://www.configuresoft.com Ecora, Inc.Ecora Patch Managerhttp://www.ecora.com GFI Software, Ltd. GFI LANguard Network Security Scanner http://www.gfi.com Gravity Storm Software, LLCService Pack Manager 2000http://www.securitybastion.com LANDesk Software, LtdLANDesk Patch Managerhttp://www.landesk.com Novadigm, Inc.Radia Patch Managerhttp://www.novadigm.com PatchLink Corp.PatchLink Updatehttp://www.patchlink.com Shavlik TechnologiesHFNetChk Prohttp://www.shavlik.com St. Bernard SoftwareUpdateExperthttp://www.stbernard.com Slide 27 Summary Addressing the patch management issue is a top priority Taking a comprehensive, tactical & strategic approach Made progress, but much more work to be done Microsoft focused on: Reducing the number of vulnerabilities & associated patches Improving customer preparedness, training & communication Simplifying & standardizing the patching experience Improving patch quality Unifying and strengthening patch management offerings Key Recommendations: Implement a good patch management process its the key to success Adopt a patch management solution that best fits your needs Slide 28 Resources Microsoft Security Response Center To report a suspected vulnerability, send e-mail to Secure@Microsoft.Com Secure@Microsoft.Com Microsoft Virus Safety Line Outside U.S. contact the local Microsoft PSS support center In the U.S. 1-866-PC-SAFETY Premier Support 1-800-936-3100 Warning: Microsoft never distributes software via e-mail please see: http://www.microsoft.com/technet/security/policy/swdist.asp http://www.microsoft.com/technet/security/policy/swdist.asp Slide 29 Slide 30 Law #1: Security Patches are a Fact of Life. Law #2: It Does No Good to Patch a System That Was Never Secure to Begin With. Law #3: There is No Patch for Bad Judgment. Law #4: You Cant Patch What You Dont Know You Have. Law #5: The Most Effective Patch is The One You Dont Have to Apply. Law #6: A Service Pack Covers a Multitude of Patches. Law #7: All Patches Are Not Created Equal. Law #8: Never Base Your Patching Decision on Whether Youve Seen Exploit Code Unless Youve Seen Exploit Code. Law #9: Everyone Has a Patch Strategy, Whether They Know It or Not. Law #10: Patch Management is Really Risk Management. The Ten Immutable Laws of Security Patch Management